On 23 Apr 2003 14:19:13 +0200, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote in message <1051100353.12295.96.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>: > Le mer 23/04/2003 Ã 12:08, Carsten Maass a Ãcrit : > > Local LAN (192.168.20.*) > > | > > | > > Switch > > | > > | > > Router/Firewall ---- DMZ (192.168.21.*) > > | > > | > > | > > Internet > > > > Everything runs smoothly, except for one thing: I am unable to > > redirect DHCP request from the clients on the local LAN to the DHCP > > server inside the DMZ. > > You'll achieve this setting a DHCP Relay up. Due to what they are, > DHCP packets cannot be routed through different IP networks (mainly > because of destination addresses that are used). > > But this kind of setup is no secure. If someones breaks into your DMZ, > he will be able to have your LAN's configuration, and even tamper it, > acting on DHCP stuff. That's _very bad_. DMZ compromission must not > endanger rest of network security. > ..to put it short: get that dhcp server out of your dmz box and into a lan box (or maybe the firewall). ..the dmz is _only_ for stuff you want me, Saddam, Osama bin Laden, Bill Gates, the scriptkiddies and the FBI to see. Here, I speak with authority; Neither of us needs your dhcp server. ;-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
